• On TechRepublic: Twitter: Under attack
 

 
Addressing the cause, not symptoms

By Evan Hansen and John Borland
Staff Writers, CNET News.com
June 24, 2002, 4:00 a.m. PT

At first, the signs are subtle: Your computer is slower than usual, something is different about your browser, occasionally you're redirected to an unfamiliar Web site for no apparent reason.

When you finally figure out the problem, you discover that someone has been tracking every keystroke on your keyboard for days while using your PC's resources to maintain a network that researches extraterrestrial life. Adding insult to injury, you find that your 8-year-old son agreed to the whole mess to get some software given away online.

Variations of this scenario have proliferated across the Internet thanks to an emerging breed of opportunistic programs that push the limits on accepted business practices. The resulting potential for abuse affecting millions of computers at a time underscores the need for government regulation, which has been delayed for years.

The politically libertarian foundation of the Internet is certain to make any new law a difficult proposition. Many stalwarts prefer technological solutions, as evidenced by a growing grassroots movement of programmers dedicated to thwarting intrusive programs. Others argue that legislation is unnecessary because many offensive applications are of questionable business value and may die naturally.

However, after years of chances and failures, anti-regulatory dogma regarding the Internet has worn thin. People are becoming increasingly fed up with companies that seek to entrench themselves deep within the viscera of their PCs, and each violation of their trust by short-lived start-ups makes it more difficult for legitimate businesses to win back their confidence.

"To most consumers, the hard drive is like the home, with the same sense of the sanctity of the home," said Richard Smith, a privacy consultant responsible for revealing some of the earliest online breaches of personal information. "They react to someone snooping in their hard drive the same way they would to someone snooping around their house."

Free software downloaded from the Net has long carried a hidden price, often in the form of information collected about its recipients with tracking technologies opposed by privacy advocates yet tolerated by consumers. In the last few months, however, the issue has triggered an unprecedented backlash.

The technologies in question invite companies directly into consumers' hard drives, where they have nearly unlimited opportunity to manipulate computers. Barring consent, the practice might otherwise be called electronic trespassing or outright hacking.

Consumer concerns over such intrusions are finally being heard. In Washington, the Senate Commerce Committee signed off on a bill last month that among other things targets companies that include tracking software--known as "adware" or "spyware"--in their products to collect detailed consumer information used for marketing research. Moreover, a group studying consumer Internet privacy for the European Union extended the scope of its inquiry to include music programs, which have been among the most prolific sources for bundled tracking technologies.

But Washington's legislation, while taking some key steps toward securing privacy online, does little to address the broader issue of preventing unsolicited companies from camping out and running their businesses on individuals' hard drives.

To be truly effective, legislators must shed their reluctance to deal with specific technologies, which they have often avoided out of ignorance or to encourage unfettered growth of a previously booming new industry. There are no laws, for example, that prevent companies from changing individual computer settings--even though the practice is analogous to a traveling salesman entering a house and rearranging the furniture so that all chairs face a large advertising placard placed in the middle of the living room.

Free to be in your PC "Many sites are taking garden-variety click-through agreements and doing things that hackers might do," said Ira Rothken, a lawyer who has brought several high-profile privacy cases, including a class action targeting DoubleClick that was settled last month. "That's the tension: Should there be certain things that should never be allowed?"

Although the power of software downloads to take control of PCs is well known, the technology has unaccountably been ignored in debates over Internet privacy and online regulation. Truste, the main online privacy accreditation group in the United States, has voluntarily certified some 2,000 Web sites as safe for consumers and was initially assailed for refusing to review software, but that criticism never led to any action.

The issue was cast in stark relief this year, when millions of people discovered that they had agreed to install an application that quietly "piggybacked" on Kazaa's popular file-swapping software. The program, from a little-known start-up called Brilliant Digital Entertainment, had the potential to turn people's PCs into nodes for an ambitious commercial network that could host and disseminate music, ads or other content from different companies, using the PCs' processing power to do so.

Brilliant did nothing illegal, having stated its intentions in a standard consent agreement that accompanied the downloads. But the controversy illustrated the possibility of wide abuse to many consumers in clear terms for the first time.

"I am opposed to such piggybacking applications. They're dangerous for many reasons," said Andy Oram of technology publisher O'Reilly & Associates, speaking as a member of the activist group Computer Professionals for Social Responsibility. "Users don't really know what is being carried out, and it's possible they might not like the task. For instance, not all users approve morally of all biological experiments."

In their defense, Brilliant and many other companies have been forced to experiment with new business strategies to survive the dot-com bust. The post-apocalyptic shakeout has drastically reduced the number of previously free products and services on the Internet as companies look to make money any way they can--a situation that increasingly calls for government intervention to keep them from going too far.

Web businesses have long maintained that self-interest and self-regulation will provide the necessary safeguards for consumers online. Imposing laws at this early stage of the game will only do more harm than good, they argue.

"Anytime you start talking about writing new rules, you need to begin with a strong factual basis," said Ronnie Brooke of the Consumer Sentinel Project Team, an online fraud unit created by the Federal Trade Commission. "You need a lot of data to find the right trade-off, and it's still fairly young for that."

Why "opt in" is no option
Much of the debate has centered on this question: What constitutes fair notice of what companies are actually doing with individuals' private data? Consumer advocates have generally argued for an "opt in" method, which would require specific consent before companies could do anything with a consumer's personal information, such as sell it to marketers. More recently, some have advocated applying an opt-in approach to any software that takes over components of a PC, regardless of whether it collects data.


Special report
PC invaders
They're camping out
in your hard drive.
Businesses, on the other hand, have argued for an "opt out" method, which would automatically allow companies access to hard drives and use of personal information unless consumers were to take explicit steps to block them. As a practical matter, such a "default" mechanism would have enormous influence on behavior because most people typically keep the computer settings they've been given at the outset simply because it is the easiest thing to do.

Although the opt-in alternative adds an important layer of security, it has proven a political deal-breaker in Congress. Last year, for instance, Sen. Ernest "Fritz" Hollings proposed opt-in privacy requirements for collecting personal information that were immediately opposed by Sens. Conrad Burns and Bob Kerrey, who had drafted competing legislation.

The two sides compromised on the current bill, S. 2201, requiring opt-in approval only for sensitive information defined as financial status, medical history, Social Security numbers, ethnicity, religious affiliation, sexual orientation and political party affiliation. Other information is considered non-sensitive data that can be used for marketing research and therefore subject to the opt-out approach.

"Hollings got crushed last year because of opt-in," said Chris Hoofnagle, legislative counsel with the Electronic Privacy Information Center (EPIC).

Politics aside, the technology exists to make opt-in proposals a reality. Industry standards groups have approved tools that allow Web surfers to automatically compare preset preferences to privacy policies and act on them by agreeing in advance to accept or reject certain actions.

Buried in the fine print
To see the need for reform on this front, one need only consult any number of "terms of service" agreements or privacy policies attached to downloads available on the Web, impenetrably worded documents that are typically ignored by consumers. Only government regulation can ensure the prominence and readability of these crucial documents, which could include the use of desktop icons or other high-profile devices flagging people to their existence.

"Consumers need to have more confidence in the Internet," said Andy Davis, a spokesman for Hollings, who has been pushing vigorously for privacy legislation for the past three years and wrote the recently approved Commerce Committee bill. "You're not going to get deep adoption of broadband and e-commerce until consumers have greater trust doing business online."

Despite its shortcomings, the Hollings legislation is one of the strongest bills of its kind to date. It carries some powerful weapons for consumers, including the right to see information that companies keep about them and the ability to bring private lawsuits over leaks of sensitive data--two provisions bitterly opposed by business interests.

The provisions will bring a flood of litigation, companies argue. Joe Rubin, a lobbyist for the U.S. Chamber of Commerce, says the law would become "a trial lawyer's right-to-sue act."

Nevertheless, as powerhouses such as Microsoft and AOL begin offering technological and entertainment services that are increasingly intertwined with consumers' lives, property and finances, measures designed to strengthen trust are more important than ever.

In many ways, technology companies have only themselves to blame for any consumer anger. For years, many of the best-known names in the industry have built business plans that exploit consumers' lack of technical knowledge and their tendencies to glaze over fine print.

Trust still in short supply
According to an April report from Consumer WebWatch, a Web-ranking group backed by the nonprofit Consumers Union, just 29 percent of people in the United States who use the Internet trust Web sites that sell products or services. Of 1,500 telephone respondents, only one-third said they trust Web sites that provide advice about such purchases or services. That compares with 58 percent who said they trust newspapers and television news and 47 percent who said they trust the federal government.

Even if the Senate bill becomes law in its current form, lawmakers will have only begun to address the Internet's problem with public trust, which has become a dwindling commodity for any business sector in the post-Enron corporate world.

"It's an age-old question," lawyer Rothken said. "Is notice good enough to do what they're doing?"

Rather than broad legal parameters, consumers need regulations that would have an immediate impact on their computers. For example, consumers would benefit if software makers were required to offer tools that could remove technologies as easily as they were installed. Also helpful would be a required desktop icon or some other conspicuous label linked to a central place where consumers could review tasks tied to each application on their machines and manage preferences for them through a master menu.

Whether by design or oversight, applications used to collect consumer data, borrow PC resources or perform other functions through downloaded software are often built to run surreptitiously. Standard applications such as word-processing software display splash screens and icons indicating that the software is running, but adware, spyware and distributed-computing programs are far more difficult to find and manage--if the consumer is aware of their existence at all.

Oram, like many Internet pioneers, is wary of government intrusion on the medium. But he acknowledges that anyone who downloads software on the Internet today is vulnerable to the whims of piggybacked technologies and can even find themselves perpetuating offenses they have no control over, creating "the problem of cascading responsibility."

"The real-life equivalent to this is something experienced by many of us when we are young and have roommates," he said. "You may trust your roommate, but he or she may invite a friend over, and that friend may make a long-distance call for a couple hours that you find on your phone bill a month later after everybody has moved out." 

News.com's Mike Yamamoto contributed to this report.

DAY 1
Addressing the cause, not symptoms

DAY 2
In the trenches of techno-rebellion

DAY 3
Reality check: Does adware work?

Back to intro


Companies, lawmakers and consumers have been testing the boundaries of privacy over the past four years.

1998
May: White House issues memo to government agencies ordering focus on online privacy.

June: FTC issues report to Congress blasting online privacy protections, calling for regulation protecting children.

July: White House issues "Electronic Bill of Rights." Establishes lead privacy agency, calls for new rules protecting children's privacy online.

October: European Union Data Privacy Directive, containing stringent rules on how personal data can be used, goes into effect.

Congress passes law requiring sites to get permission to collect data on children.

1999
June: Privacy advocates erupt over DoubleClick's plan to merge databases containing consumers' Web surfing habits with personally identifiable information.

July: FTC says most Web sites have poor privacy practices, but says self-regulation can work.

October: FTC sets rules to protect children's privacy online.

November: RealNetworks turns off technology that could have tracked users' listening habits.

2000
January: President Clinton calls for online privacy protections in his State of the Union speech.

May: FTC says only 20 percent of Web sites follow basic privacy protections, calls for new legislation.

Sens. Earnest "Fritz" Hollings, D-S.C., and John Rockefeller, D-W.Va., introduce privacy legislation.

October: Sen. John Edwards introduces anti-spyware legislation.

Leaders in Senate and House vow to pass privacy legislation in 2001.

2001
January: Edwards reintroduces anti-spyware bill.

July: Privacy groups complain to FTC that Microsoft's Passport is intended to "profile, track and monitor" Web users.

September: Terrorist fears mute calls for online privacy rights.

October: FTC backs away from additional regulation as new chairman calls for "more law enforcement, not more laws."

Passage of Patriot Act gives government new latitude to monitor Internet communications.

December: California opens first state-level privacy agency

2002
March: DoubleClick agrees to settle class-action suits charging it violated Web surfers' privacy.

April: Brilliant Digital Entertainment's Altnet plans for Kazaa revealed.

World Wide Web Consortium passes Platform for Privacy Preferences (P3P) proposal.

Hollings introduces compromise privacy bill.


Millions of computers are running free software downloads, many of which come loaded with hidden costs, including adware or spyware programs that have so far escaped legislation. Specific regulation could help prevent potential abuse.

• Make "terms of service" agreements and privacy policies prominent, easy to read and searchable.

• Require 30-day advance notice delivered to a person's desktop before changing published terms of service and privacy contracts.

• Demand an "opt in" method in which consumers would explicitly give consent before companies could do anything with their personal information, such as sell it to marketers.

• Prevent companies from changing individual computer settings, such as the home page, without first securing opt-in consent.

• Make software include an "opt out" feature that would notify people whenever data is transferred to another party and that would fully disclose the destination, including the name of the company receiving the information and valid contact information.

• Link a desktop icon to a central place where consumers could review tasks tied to each application on their machine and manage those preferences through a master menu.

• Require software to include a simple way to find information on the maker, including a physical address, e-mail address and phone number where people could seek reasonable technical support.

• Display a splash screen or icon indicating that the program is running.

• Permit consumers to see the information companies keep about them.

• Allow consumers to bring private lawsuits over leaks of sensitive personal data.

• Demand that uninstalling the software be as simple as installing it.

advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET